Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    The Stack Clash CVE-2017-1000364

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 7 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ghostshellG
      ghostshell
      last edited by

      See article: https://threatpost.com/stack-clash-vulnerability-in-linux-bsd-systems-enables-root-access/126355/

      1 Reply Last reply Reply Quote 0
      • A
        aadder
        last edited by

        Not sure where this needs to go.    I was wondering if there anything in the works to fix this asap?

        I do believe this is the original article about it.

        https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash

        1 Reply Last reply Reply Quote 0
        • H
          Harvy66
          last edited by

          My laymen's understanding. It's not an inherent security flaw, it just means one of the anti-exploit defenses does not work as well as expected.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Once FreeBSD fixes it, we'll pull in the changes from there. We already have a patch release cooking for some other issues that need addressed, but depending on when they put out a fix it would be included.

            I've heard they are working on it, but it affects primarily 32-bit platforms and exploiting it is unlikely, especially in the context of a firewall.

            So it's worth fixing, but the sky isn't falling. At least for FreeBSD.

            EDIT: Merging duplicate threads in here, so the posts may seem a bit disjointed.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • K
              kpa
              last edited by

              It's not exploitable remotely on pfSense unless the admin has done something to allow an unprivileged user to login and run their exploit code on the system. In general you don't allow untrusted users to run their own code on your firewall.

              1 Reply Last reply Reply Quote 0
              • B
                battles
                last edited by

                From threatpost.com

                Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code at root.

                See article here:
                https://threatpost.com/stack-clash-vulnerability-in-linux-bsd-systems-enables-root-access/126355/

                pfSense 2.3.4-RELEASE-p1 (i386)
                FreeBSD 10.3-RELEASE-p19
                pfBlockerNG 2.1.2_1
                Snort Security 3.2.9.5_3
                Intel(R) Atom(TM) CPU N270 @ 1.60GHz

                1 Reply Last reply Reply Quote 0
                • JailerJ
                  Jailer
                  last edited by

                  It's being worked on.

                  https://forum.pfsense.org/index.php?topic=132534.msg728726#msg728726

                  1 Reply Last reply Reply Quote 0
                  • K
                    kpa
                    last edited by

                    @Jailer you linked the wrong thread. That's the OpenVPN vulnerability which is quite different.

                    FreeBSD just pushed a fix to head (12-CURRENT) and it should be MFC'ed to supported stable and releng branches pretty soon.

                    https://lists.freebsd.org/pipermail/freebsd-security/2017-June/009343.html

                    https://svnweb.freebsd.org/base?view=revision&revision=320317

                    1 Reply Last reply Reply Quote 0
                    • K
                      kpa
                      last edited by

                      Also the vulnerability is not a threat to a properly configured pfSense system that doesn't allow unprivileged/untrusted login/execute access to the system.

                      1 Reply Last reply Reply Quote 0
                      • K
                        kpa
                        last edited by

                        Fixed on FreeBSD head (12-CURRENT) and MFC expected to supported stable and releng brances within a week.

                        https://lists.freebsd.org/pipermail/freebsd-security/2017-June/009343.html

                        https://svnweb.freebsd.org/base?view=revision&revision=320317

                        @admins Please merge this thread here:

                        https://forum.pfsense.org/index.php?topic=132664.0

                        1 Reply Last reply Reply Quote 0
                        • K
                          kpa
                          last edited by

                          @Harvy66:

                          My laymen's understanding. It's not an inherent security flaw, it just means one of the anti-exploit defenses does not work as well as expected.

                          It is definitely an inherent security flaw. An unprivileged process should never be able to play games with the system's memory management and trick it into allocating more stack pages from an area of memory that the process already had access to. If the attacker can do that it opens up many opportunities for compromise because the stack contains the return addresses for function calls and if you manage to manipulate those anything is possible. The classic case is the (possibly the world's first such incident) Morris worm:

                          https://en.wikipedia.org/wiki/Morris_worm

                          1 Reply Last reply Reply Quote 0
                          • JailerJ
                            Jailer
                            last edited by

                            @kpa:

                            @Jailer you linked the wrong thread. That's the OpenVPN vulnerability which is quite different.

                            FreeBSD just pushed a fix to head (12-CURRENT) and it should be MFC'ed to supported stable and releng branches pretty soon.

                            https://lists.freebsd.org/pipermail/freebsd-security/2017-June/009343.html

                            https://svnweb.freebsd.org/base?view=revision&revision=320317

                            Yes but if you read what I linked to which was jimp responding to a question about the opnevpn vulnerability he mentions that they are holding off an update to 2.3.4 waiting for the stack clash fix from FreeBSD.

                            Edit: And here's a thread already discussing the issue.

                            https://forum.pfsense.org/index.php?topic=132413.msg728050#new

                            1 Reply Last reply Reply Quote 0
                            • H
                              Harvy66
                              last edited by

                              @kpa:

                              @Harvy66:

                              My laymen's understanding. It's not an inherent security flaw, it just means one of the anti-exploit defenses does not work as well as expected.

                              It is definitely an inherent security flaw. An unprivileged process should never be able to play games with the system's memory management and trick it into allocating more stack pages from an area of memory that the process already had access to. If the attacker can do that it opens up many opportunities for compromise because the stack contains the return addresses for function calls and if you manage to manipulate those anything is possible. The classic case is the (possibly the world's first such incident) Morris worm:

                              https://en.wikipedia.org/wiki/Morris_worm

                              Yeah, turned out it was something more nefarious. It wasn't just about smashing stacks in an application's own virtual memory, but being able to access kernel memory, allowing for priv esc attack.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.